[clamav-users] Using clamav to test for bad links in incoming emails

Gene Heskett gheskett at shentel.net
Sun Feb 10 18:15:53 UTC 2019 

On Sunday 10 February 2019 13:08:59 G.W. Haywood wrote:

> Hello again,
>
> On Sun, 10 Feb 2019, Gene Heskett wrote:
> > most of what gets my attention comes from local to the US servers
>
> Well the USA _is_ the world's number one spam source. :(
>
> > , like earthlink.
>
> In addition to DNSBL stuff I operate ten local blacklists - see my
> blacklist list below.  Earthlink is explicitly listed here in the list
> which rejects on the client server's 'HELO' greeting but certain ASNs,
> network blocks and individual IPs also get the boot.  Where possible
> local blacklists are consulted before going out to DNS-based block
> lists like Spamhaus, as it's much more efficient and will also work
> for new spam sources which the DNS based lists haven't yet had enough
> reports about to consider listing.  For the avoidance of doubt, _all_
> connections from _all_ earthlink servers are rejected by our servers.
>
Which I don't think you had to do when Joann Dow was teching at 
earthlink.  That goes back up the log quite a ways though, a good 25 
years or more.

> On Sun, 10 Feb 2019, J.R. wrote:
> > Trying not to get too far off topic ...
>
> Until someone persuades me otherwise, IMO anything which tends to make
> the use of ClamAV more efficient and/or more effective is on topic for
> this list. :)
>
> > ... if you reject based on the hostname of the mail server ...
> > ... red flags ...
>
> +1, and you can also look for other red flags at each stage of the
> SMTP conversation, including mail headers.  Here are my blacklists
> at the moment:
>
> xm_connect_blacklist (some hostnames, domains and even TLDs are dire)
> xm_country_blacklist (some countries send me nothing but spam)
> xm_whois_blacklist (even some registrars are dire)
> xm_ASN_blacklist (some ASNs are especiall dire)
> xm_helo_blacklist (full/partial domain names, TLDs e.g. 'local' here)
> xm_envfrom_blacklist (full or partial address/domain name/TLD)
> xm_SPF_blacklist (see if the sender's SPF record contains red flags)
> xm_RP_blacklist (see if the sender's Responsible Party flags up red)
> xm_rcpt_blacklist (I have numerous spam trap addresses etc.)
> xm_header_blacklist (spam software often writes red flag headers)
>
> There's also a list of DNS-based block lists like Spamhaus.  Anyone is
> welcome to all these lists, although they're very much personalised to
> our situation.  In any case to use some of them effectively might take
> quite a bit of work.
>
> I don't have at my fingertips much in the way of useful statistics for
> the relative effectiveness of the various blacklists, but if anyone is
> interested I can process the logs for the last couple of years and
> come up with some rough numbers like the 1.3% that I mentioned earlier
> (that is effectively what's left after mail has been run past the
> blacklists).


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

More information about the clamav-users mailing list